Apple’s “in-app purchase” service for iOS bypassed by Russian hacker

A new service allows iOS users to pirate premium apps. But it comes at a cost.

A Russian hacker has unveiled a service that allows users of Apple iOS devices to pirate digital books, premium game levels, and other content sold through the company's in-app purchase program.

The new service, which has already been subject to attempts at shutting it down, requires no jailbreaking and only minimal configuration changes. It works by funneling purchase requests through a server operated by the hacker, rather than the legitimate one offered by Apple. As a result, charges that normally would be applied to a user's account are bypassed. A video demonstration shows an iPhone running a prelease version of iOS 6 using the service to obtain free content, but the service says it works for all devices that use iOS 3 or later.

A note to readers: in addition to legal and ethical considerations involving the pirating of for-fee content, the service comes with other serious consequences. Namely, it allows the operators of the fake server to see a user's Apple ID, password, and possibly other data that is normally sent only to Apple. Hacker Alexey V. Borodin told Ars Technica that he doesn't use, log, or otherwise monitor that data, but there is no way to confirm those assurances.

In-Appstore.com Get in-app purchases for FREE!! NO JAILBREAK REQUIRED!

Using the service requires users to install two digital certificates on their iOS device and change a domain name server entry in their WiFi settings. In the less than 24 hours since Borodin opened his In-AppStore.com store, two IP addresses it has used for the replacement DNS server have been blocked. It's presumed Apple officials are behind those moves, but Borodin said he can't be sure. His service has already facilitated the purchases of more than 400,000 apps, he told Ars.

As the description suggests, in-app purchases give users the ability to make purchases from within an iOS app itself. Someone playing a game, for example, can buy upgrades without having to pause and make a dedicated visit to Apple's official AppStore. A dedicated reading app might similarly allow a user to buy books or articles on the fly. Purchases are processed through Apple, but the money goes to the app developer.

In a statement published by loopinsight.com, Apple representative Natalie Harrison said: "The security of the App Store is incredibly important to us and the developer community. We take reports of fraudulent activity very seriously and we are investigating."

Borodin declined to discuss exactly how his site is able to bypass Apple servers, except to say it doesn't use Apple's private encryption keys.

Promoted Comments

I'm pretty shocked by the pro-piracy tone of the whole article to be honest.

Pro-piracy how? It's not like Dan's encouraging readers to try it, nor uses language to seem like he approves of/promotes it. Is it the direct link? That's very easy for readers to determine for themselves.

I'm pretty shocked by the pro-piracy tone of the whole article to be honest. It seems to imply that any "legal and ethical" considerations are hardly worth mentioning...

You should provide support for your broad-based position. The article clearly reported the facts of the news event. Frankly, I wish more news stories both in technical and non-technical publications would just report the facts and both sides statements as this article does.

Borodin declined to discuss exactly how his site is able to bypass Apple servers

Where's the mystery? Malicious DNS. Malicious forged certificate. The user deliberately inflicts both on themself so the software doesn't detect that it's not talking to the real App Store server.

How exactly would changing a certificate on the user side of the transaction allow piracy? I find it hard to believe Apple would be foolish enough to leave it up to the client to be honest rather then also including server side cryptographic verification.

If you add the root certificate that creates a fake cert for Apple, and the purchase system does not pin to a whitelisted cert but accepts any cert that says "Apple" that chains to an installed root, the purchase system cannot tell it is talking to a fake Apple server. So the fake server responds "yeah this is legit" and the user-side game unlocks your points.

Apparently there is some receipt system that most apps do not take advantage of, but some do, and they're not vulnerable (according to others - I have no inclination to test.)

This has already been done without requiring the user to send their login information to a russian hacker of questionable character. iAP Cracker basically replaces the In-App-Purchase API with one that never makes a transaction, but then reports back to the app that the transaction did occur. Like this one, it generally will only work with stuff like in game currency or other content that does not need to be downloaded after the purchase takes place.

I'm pretty shocked by the pro-piracy tone of the whole article to be honest. It seems to imply that any "legal and ethical" considerations are hardly worth mentioning...

You should provide support for your broad-based position. The article clearly reported the facts of the news event. Frankly, I wish more news stories both in technical and non-technical publications would just report the facts and both sides statements as this article does.

You seem to want an editorial on the subject. That's not news.

"His service has already facilitated the purchases of more than 400,000 apps." That's not a statement of fact. He facilitated the theft of apps.

This guy is running a server that pretends to be the App Store, so he tells you how to rewire your DNS to think that it actually is. So far, makes sense. The client software is set up to ask for auth info, so fine, I can see how it would require something to be typed in. For it to have the client think that it's still on the same account, I can see how it would require your real apple ID to be typed in.

But the password? If this were NOT some kind of scam, there really should be some clear announcements that you can fill in anything for the password and it will not be checked in any way.

See, there's no way in hell this guy could build a service that *actually* checks the passwords, because he would be dependent on Apple's verification service to do that, acting only as a proxy (classic MITM attack) and if Apple stopped responding to requests from his IP he would be shut down. Plus he'd be found out simply by the massive volume and variety of requests to verify coming from his one IP to Apple.

So he doesn't just probably not check the password - he can't.

Given that, if he is not announcing that the password is meaningless**, clearly, wherever he invites people to use this service, then he is harvesting the Apple accounts of the stupid.

And to counter, to a limited extent, I would suggest that anyone using this system only type in passwords that are very wrong - they will all go through because he can't afford to check them, and if a large enough percentage of his harvested user/password database has bad passwords, he'll have a lot more trouble selling it or using it in any significant way.

All in all, this was a fairly obvious attack, that Apple saw coming and not only warned against ahead of time but built a receipt verification service to allow apps to make sure they are getting the right answer (though, to be totally sure the only way is to have a server out there on the internet for your client app to talk to, with a secured internet connection.) Of course if you do the verification directly from the device itself, the same DNS attack can be expected and your verifications will always return true, even from the falsified receipts.

So the external server is necessary.

---** Note: I am too lazy and disinterested in trying this service to actually go read whether the guy is announcing to use fake passwords. Plus it's more fun to write both sides.

1 -- that the Apple Store can be bypassed / redirected2 -- that Apps can bypass the DRM wihtout Jailbreaking

ALSO - that Apple will have to eventually change it's stance on it's dictated cattle-shoot method of delivery - that this same iOS method will not work and will not work for the Desktop as they are trying to push (and as Microsoft and Android are trying to copy).

All it is - is the new scheme by software companies to control illegal copies - that failed like any other method before it.

A Russian Hacker says he doesn't look at, see or use your personally indenifiable data.

Well, ok, if you say so...

hmm the hack actually looks to be rather simple. Apart from having to have a server running (not a big deal), the rest of the method looks surprisingly simple. 400k transactions pilfered so far is pretty big. It just cost Apple and the developers a 1/2 million -1 million in lost revenue. To apple, peanuts; to small devs, pretty huge deal.

I'm pretty shocked by the pro-piracy tone of the whole article to be honest. It seems to imply that any "legal and ethical" considerations are hardly worth mentioning...

You should provide support for your broad-based position. The article clearly reported the facts of the news event. Frankly, I wish more news stories both in technical and non-technical publications would just report the facts and both sides statements as this article does.

You seem to want an editorial on the subject. That's not news.

"His service has already facilitated the purchases of more than 400,000 apps." That's not a statement of fact. He facilitated the theft of apps.

Let's look at it in another similar setting. A new unreleased album shows up on hotfile.com. 1000's download the file. Here's the news story statement:

C: Hotfile facilitated the theft of an unreleased album.- questionable at best. Leave those statement to the judge and jury.

Leave C to the judges. I don't appreciate my new sources sermonising and pushing their views of moral judgement to me. It clouds the actual news just as you rinsistence on pushing your brand of morality completely derails the article entirely. Does that make you complicite in aiding and abetting the theft?

This guy is running a server that pretends to be the App Store, so he tells you how to rewire your DNS to think that it actually is. So far, makes sense. The client software is set up to ask for auth info, so fine, I can see how it would require something to be typed in. For it to have the client think that it's still on the same account, I can see how it would require your real apple ID to be typed in.

But the password? If this were NOT some kind of scam, there really should be some clear announcements that you can fill in anything for the password and it will not be checked in any way.

See, there's no way in hell this guy could build a service that *actually* checks the passwords, because he would be dependent on Apple's verification service to do that, acting only as a proxy (classic MITM attack) and if Apple stopped responding to requests from his IP he would be shut down. Plus he'd be found out simply by the massive volume and variety of requests to verify coming from his one IP to Apple.

So he doesn't just probably not check the password - he can't.

Given that, if he is not announcing that the password is meaningless**, clearly, wherever he invites people to use this service, then he is harvesting the Apple accounts of the stupid.

But Borodin claims in his "terms of service" document that he collects no data and users do not have to enter their Apple ID and password to use the exploit.

"We collecting no data. Even if you requested to enter password to your account while you are using in-appstore.com, enter something that is not your password. For example, 1234'," the terms of service reads.

C: Hotfile facilitated the theft of an unreleased album.- questionable at best. Leave those statement to the judge and jury.

Leave C to the judges. I don't appreciate my new sources sermonising and pushing their views of moral judgement to me. It clouds the actual news just as you rinsistence on pushing your brand of morality completely derails the article entirely. Does that make you complicite in aiding and abetting the theft?

It doesn't matter what your brand of supposed morality is. The 'service' in fact did not facilitate any purchases. As for your morality, these people made an express effort to obtian freely apps they knew were to be paid for.